Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
20-04-2024 21:27
General
-
Target
b3b72ee5f75548ec5abc663e3c9b1531d94fd353923437a4d76c2f7b2c3eba98.exe
-
Size
4.2MB
-
MD5
1e13b50b8c4d708a6a19b9f75ebb9b98
-
SHA1
17d26966bc196ae0226cc36559815ca1e3a0dd15
-
SHA256
b3b72ee5f75548ec5abc663e3c9b1531d94fd353923437a4d76c2f7b2c3eba98
-
SHA512
5e57068043a83296ec69e38f99b25feffc6c3d76e43fa2d5f2c6ecdca5fc01e101794ffc00bbe9321ebd2de79dea80d9d3b3745fb65e2eae58e2b16f82ed3c33
-
SSDEEP
98304:qB6TE4JDSTIitXqfSjBwF+v4rSSNjcdSqGUwT7RQU7OQ:3TFmTI8qKjKFA4r+dAh7RQUV
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 19 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3b72ee5f75548ec5abc663e3c9b1531d94fd353923437a4d76c2f7b2c3eba98.exe"C:\Users\Admin\AppData\Local\Temp\b3b72ee5f75548ec5abc663e3c9b1531d94fd353923437a4d76c2f7b2c3eba98.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\b3b72ee5f75548ec5abc663e3c9b1531d94fd353923437a4d76c2f7b2c3eba98.exe"C:\Users\Admin\AppData\Local\Temp\b3b72ee5f75548ec5abc663e3c9b1531d94fd353923437a4d76c2f7b2c3eba98.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hthkxwwt.glw.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD50943f78b5a084fc836b9e8829e815a85
SHA13531bc434c9583a5ff02cecbc603d4803deb9694
SHA256479e935699a34ff4e6337a67c1b2d3656f46a4cd48deb5485b541ff6f223201a
SHA51235f29667c872cc2deadcaac4d80a6fb0a1c008fd690e3daa18254d1a0ec0c350ab03d9dc95696fe4c6ca1347074639c64b2a2d4bc5c931eba661fae98fb8fd5f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5ac8cbcf0bbf54876fe92a57f8b126296
SHA1c1adf98ab8ee75d05373643483b14a192cc37db5
SHA2569e8ffcaf9cb09a3b54fea328fdb2f8b8da923ee03f637a3956360208bfae9053
SHA5123808b635e3522b8cb42d3824412012944d3ae6468ba6b4994897ef9b2bcf2f6bcb81ce8f4632e3b7da17d868b0c7b878ead71b069e8a79ad10d8954fdddebe9e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD551d21515a8692888333c3ff109231684
SHA1dcf7fd2a398ca0161af0d9f0326da94ba3dc54f4
SHA2561424563951bf5675f46434412f217d98081c0fb23b462dcb47b4b7fe4733cb2c
SHA5120f16d4f787bc4776774dc27725c03cdc7eadacd879386cc6b147e00fab59dc8c1e936cd50adb2fec1a9a0184ac0e0e8c1a5afe395b6ee6cb36936ec8efe7f403
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5e0e1399568e0b9d84cd4df7f52e2c786
SHA12b04de9ef86b2f037794b50c0aa48150ba3488dc
SHA2566840fbc7ee53a5185daf608d4e6d1b019f15263729e999aa15b713cdf4ddf3a1
SHA51259b6f405cc81a7f894ff4767539886bb010550df059177b645b4e97a83a2d183c4b2ca6f1788ea9e6366ca597508f85edca92cb4ac221f1706b5b1ce3dab75c2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5892f53c2c747b63f629b4bb2a4feb518
SHA175a6894827b005b26f6c2c433f5092cb35fcc5e3
SHA2569f4f6761937bf02b7de0ec43c13618a885e512b75b7606f3f9572ffb777637c0
SHA5127ccd3b522c07e34471e9d483ff77921ba6cc0127ca0d5ba820c5f5b2859cafa34cec9dae05c2efb0f530a25a2a0ecaefb4c88d1e3c44fec04f91928c3225cdcf
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD51e13b50b8c4d708a6a19b9f75ebb9b98
SHA117d26966bc196ae0226cc36559815ca1e3a0dd15
SHA256b3b72ee5f75548ec5abc663e3c9b1531d94fd353923437a4d76c2f7b2c3eba98
SHA5125e57068043a83296ec69e38f99b25feffc6c3d76e43fa2d5f2c6ecdca5fc01e101794ffc00bbe9321ebd2de79dea80d9d3b3745fb65e2eae58e2b16f82ed3c33
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/1044-43-0x0000000005000000-0x0000000005010000-memory.dmpFilesize
64KB
-
memory/1044-46-0x0000000007B10000-0x0000000007B21000-memory.dmpFilesize
68KB
-
memory/1044-24-0x0000000006850000-0x0000000006894000-memory.dmpFilesize
272KB
-
memory/1044-25-0x0000000007800000-0x0000000007876000-memory.dmpFilesize
472KB
-
memory/1044-27-0x0000000006A80000-0x0000000006A9A000-memory.dmpFilesize
104KB
-
memory/1044-26-0x0000000007F00000-0x000000000857A000-memory.dmpFilesize
6.5MB
-
memory/1044-30-0x0000000070970000-0x00000000709BC000-memory.dmpFilesize
304KB
-
memory/1044-29-0x00000000079B0000-0x00000000079E2000-memory.dmpFilesize
200KB
-
memory/1044-28-0x000000007EF30000-0x000000007EF40000-memory.dmpFilesize
64KB
-
memory/1044-41-0x00000000079F0000-0x0000000007A0E000-memory.dmpFilesize
120KB
-
memory/1044-22-0x0000000006420000-0x000000000643E000-memory.dmpFilesize
120KB
-
memory/1044-42-0x0000000007A10000-0x0000000007AB3000-memory.dmpFilesize
652KB
-
memory/1044-31-0x0000000070AF0000-0x0000000070E44000-memory.dmpFilesize
3.3MB
-
memory/1044-44-0x0000000007B00000-0x0000000007B0A000-memory.dmpFilesize
40KB
-
memory/1044-45-0x0000000007C10000-0x0000000007CA6000-memory.dmpFilesize
600KB
-
memory/1044-23-0x00000000064D0000-0x000000000651C000-memory.dmpFilesize
304KB
-
memory/1044-47-0x0000000007B50000-0x0000000007B5E000-memory.dmpFilesize
56KB
-
memory/1044-48-0x0000000007B70000-0x0000000007B84000-memory.dmpFilesize
80KB
-
memory/1044-49-0x0000000007BB0000-0x0000000007BCA000-memory.dmpFilesize
104KB
-
memory/1044-50-0x0000000007BA0000-0x0000000007BA8000-memory.dmpFilesize
32KB
-
memory/1044-53-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/1044-4-0x0000000002E30000-0x0000000002E66000-memory.dmpFilesize
216KB
-
memory/1044-21-0x0000000005FF0000-0x0000000006344000-memory.dmpFilesize
3.3MB
-
memory/1044-13-0x0000000005DE0000-0x0000000005E46000-memory.dmpFilesize
408KB
-
memory/1044-10-0x0000000005510000-0x0000000005576000-memory.dmpFilesize
408KB
-
memory/1044-9-0x0000000005470000-0x0000000005492000-memory.dmpFilesize
136KB
-
memory/1044-8-0x0000000005640000-0x0000000005C68000-memory.dmpFilesize
6.2MB
-
memory/1044-7-0x0000000005000000-0x0000000005010000-memory.dmpFilesize
64KB
-
memory/1044-6-0x0000000005000000-0x0000000005010000-memory.dmpFilesize
64KB
-
memory/1044-5-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/1256-261-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1932-84-0x00000000075C0000-0x0000000007663000-memory.dmpFilesize
652KB
-
memory/1932-91-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/1932-74-0x00000000710F0000-0x0000000071444000-memory.dmpFilesize
3.3MB
-
memory/1932-73-0x0000000070970000-0x00000000709BC000-memory.dmpFilesize
304KB
-
memory/1932-72-0x000000007F6C0000-0x000000007F6D0000-memory.dmpFilesize
64KB
-
memory/1932-64-0x0000000005D40000-0x0000000006094000-memory.dmpFilesize
3.3MB
-
memory/1932-86-0x0000000002D90000-0x0000000002DA0000-memory.dmpFilesize
64KB
-
memory/1932-87-0x00000000078E0000-0x00000000078F1000-memory.dmpFilesize
68KB
-
memory/1932-88-0x0000000007930000-0x0000000007944000-memory.dmpFilesize
80KB
-
memory/1932-70-0x0000000002D90000-0x0000000002DA0000-memory.dmpFilesize
64KB
-
memory/1932-69-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/1932-71-0x0000000002D90000-0x0000000002DA0000-memory.dmpFilesize
64KB
-
memory/4028-57-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4028-155-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4028-55-0x0000000003B30000-0x0000000003F29000-memory.dmpFilesize
4.0MB
-
memory/4028-107-0x0000000003B30000-0x0000000003F29000-memory.dmpFilesize
4.0MB
-
memory/4028-56-0x0000000003F30000-0x000000000481B000-memory.dmpFilesize
8.9MB
-
memory/4280-93-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/4280-108-0x000000007F740000-0x000000007F750000-memory.dmpFilesize
64KB
-
memory/4280-106-0x0000000070970000-0x00000000709BC000-memory.dmpFilesize
304KB
-
memory/4280-121-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/4280-119-0x0000000004FE0000-0x0000000004FF0000-memory.dmpFilesize
64KB
-
memory/4280-109-0x0000000070AF0000-0x0000000070E44000-memory.dmpFilesize
3.3MB
-
memory/4280-94-0x0000000004FE0000-0x0000000004FF0000-memory.dmpFilesize
64KB
-
memory/4280-95-0x0000000004FE0000-0x0000000004FF0000-memory.dmpFilesize
64KB
-
memory/4512-264-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4512-270-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4648-281-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4648-296-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4648-266-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4648-293-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4648-290-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4648-287-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4648-253-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4648-284-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4648-278-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4648-269-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4648-275-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4648-272-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4648-263-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4672-3-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4672-2-0x0000000004070000-0x000000000495B000-memory.dmpFilesize
8.9MB
-
memory/4672-85-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4672-1-0x0000000003C60000-0x0000000004064000-memory.dmpFilesize
4.0MB
-
memory/4672-58-0x0000000003C60000-0x0000000004064000-memory.dmpFilesize
4.0MB
-
memory/4760-136-0x0000000070970000-0x00000000709BC000-memory.dmpFilesize
304KB
-
memory/4760-137-0x00000000710F0000-0x0000000071444000-memory.dmpFilesize
3.3MB
-
memory/4760-122-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/4760-124-0x0000000002F80000-0x0000000002F90000-memory.dmpFilesize
64KB
-
memory/4760-123-0x0000000002F80000-0x0000000002F90000-memory.dmpFilesize
64KB